Not sure what you need to know about the GDPR? Read our thirteen point guide to put you in the picture before we reach 25 May.

1. The General Data Protection Regulation (GDPR) will come into force and apply to all member states
from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It
contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of
legislation.
Overall, the principles under the GDPR are similar to those under the current Data Protection Act.
However, there are new elements and significant enhancements; particularly in relation to accountability.
The GDPR puts the onus on organisations to show how it complies with the data protection principles
and there is a greater emphasis on documenting specific activities.
Other key changes to be aware of include:
 Wider scope of application – certain definitions under the GDPR have been broadened, for
example, the definition of “personal data”.
 Higher penalties – the GDPR introduces tougher sanctions, including administrative fines for
non-compliance of up to €20,000,000 or 4% of the organisation’s global turnover (whichever is
the greater).
 Data breach notifications – the GDPR will put a duty on all organisations to report certain types
of data breach to the relevant supervisory authority, and in some cases to the individual affected.
 More significant rights for individuals – the GDPR creates new rights for individuals and also
strengthens some of the existing rights under the Data Protection Act.
 Children’s personal data – the GDPR contains new provisions enhancing the protection of
children’s personal data; previously, under the Data Protection Act, there has not been any
special protection for children.
Further information on how to prepare for the GDPR is set out in our Thirteen Point Guide overleaf.
Thirteen Point Guide to the General Data Protection
Regulation (GDPR)

2. GDPR Guide – Thirteen steps to take now
Preliminary steps
1. Awareness
Ensure that the key people in your organisation know that the law is changing and that they
understand the impact that it will have on the organisation; reviewing the organisation’s policies early
will give you a head start. The ICO’s overview of the GDPR can be found here.
2. Information you hold
Carry out an audit to determine what personal data you hold, where it came from and who you share
it with. Going forward, under the GDPR, you will need to maintain records of processing activities
setting out the legal basis for the processing, so getting your records in order before the GDPR comes
into effect will help set a precedent.
3. Communicating privacy information
Existing data policy and privacy notices/policies will not be compliant with the GDPR, so the
necessary amendments will need to be made to them in time for the implementation of the GDPR.
The GDPR requires information to be provided in concise, easy to understand and clear language.
See Article 15.
4. Data Protection by Design and Data Protection Impact Assessments
Under the GDPR, privacy by design is a requirement and in certain circumstances privacy impact
assessments will be mandatory. A privacy impact assessment will be required where data processing
is likely to result in high risk to individuals, for example, where new technology is being used or
sensitive personal data is involved. See Article 25.
5. Data Protection Officers
Ensure that you designate someone to take responsibility of data protection within your organisation.
If required, you will need to formally designate a Data Protection Officer, for example, if you are a
public authority. See Article 4.
Rights
6. Individuals’ rights
Under the GDPR there are enhanced rights for individuals; you should ensure that your procedures
and policies cover all of the rights that individuals have, including the right to be informed, the right of
access, the right to rectification, the right to erasure, the right to restrict processing, the right to data
portability,the right to object and rights in relation to automated decision making and profiling.
7. Subject access requests
Ensure that procedures are updated to take into account the new rules on requests; in most cases
you will not be able to charge for a request and will only have one month to comply with requests. See
Articles 12 and 15.
8. Lawful basis for processing personal data
Under the GDPR you will need to be able to explain the legal basis for your processing activity. This
will need to be documented and your privacy notice will need to be updated to explain this. See Article
6.
Consent
9. Consent
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of
the individual’s wishes. There must be a positive opt-in and consent must be separate from other
terms and conditions. See Article 7.

3. GDPR Guide – Thirteen steps to take now
10. Children
The GDPR puts in place special protection for children, requiring a parent or guardian’s consent for
any data processing activity in the context of commercial internet services such as social networking.
This will be relevant if you offer information society services to children. The age that a child can give
their own consent to processing is sixteen, although this may be lowered to thirteen in the UK. See
Article 8.
Notifications
11. Data breaches
In circumstances in which a data breach is likely to result in a risk to the rights and freedoms of
individuals, you will need to notify the ICO and also the individual if the breach is likely to have
significant detrimental effect on the individual, for example, if the breach may result in discrimination
or financial loss. See Articles 33 and 34.
International
12. Transfers within the EU
Where you have establishments in more than one EU member state, you should determine who your
lead data protection supervisory authority is.
13. Transfers outside the EU
Under the GDPR, the transfer of personal data outside of the EU is prohibited unless certain
conditions are met. The conditions include transfers made with consent, transfers necessary for
important reasons of public interest and transfers necessary for the performance of a contract, for
example. See Chapter 5.
Brian Miller is a solicitor and partner and Preena Patel a trainee solicitor at Stone King LLP, providing specialist
advice in the fields of intellectual property, IT, data protection and commercial law.
If you would like further information about the GDPR or if you have any concerns or queries in relation to them,
please contact Brian.
The Info Sheet series is designed to give you an overview of a particular area of law. They should not be acted on without taking professional advice on a
given situation.
stoneking.co.uk